Report a warning if a rule using a 3rd party service timeout.

[sarvaje]

Some of the errors we get with sonar is a timeout when using a 3rd party service in a rule.

We should prevent sonar crash because of that(as we do with axe) and report a warning instead.

[molant]

We have to do that in the following rules:

• no-vulnerable-javascript-libraries (Fix: Catch errors in detecting libraries #626)
• ssllabs

[qzhou1607-zz]

Investigation on why this following timeout didn't stop sonar from crash in the case of ssllabs:
https://github.com/sonarwhal/sonar/blob/ca02a33311e9dc3c17721bd0b916337b5d3617a9/src/lib/sonar.ts#L172-L198

The timeout here is not per rule, but per event. In the cases of some urls, resource loading takes extra long and because the maxRunTime in the online-service worker is fixed (180000 by default), the allowed time for resolving the ssllabs promise is actually shorter than the rulesTimeout. So sonar is terminated before the rule times out. The plan is to add a timeout inside ssllabs, but which value to use is the tricky part since we don't have control over how long the resource loading is going to take.

[molant]

@qzhou1607 so the problem is with the online-scanner, right? Maybe we should change error to warning if we have to kill the process. @sarvaje, thoughts?

[qzhou1607-zz]

The problem is that the rule didn't time out in sonar before time out in the online-service. We can make it time out in sonar sooner (such as in ssllabs we add a timeout with a shorter waiting time like 1 min), or have the jobRunTime in the online-service larger to make up for the extra time consumed in loading resources. But neither solution seems to work in all scenarios.

@qzhou1607 so the problem is with the online-scanner, right?

We can handle TIMEOUT errors in online-service differently so that the job is not labeled as error. But that still leaves the issue that ssllabs doesn't have enough time to run before the process is killed. Maybe we can make jobRunTime for the jobs configurable in the future. So if certain rules such as ssllabs timeout, let the user know and the user can choose to extend the waiting time for the job?

Maybe we should change error to warning if we have to kill the process.

[sarvaje]

I think we need to have a jobRunTime with a value enough to don't fail frequently, but it has to be a reasonable time, because we can't block a worker forever. We can't control if a site is slow or not, so, at some point, we need to abort the execution.

Maybe instead of set the job as error, if we reach the jobRunTime we can set the status of the rules as warning with a message like Sonar didn't return the result faster enough. Please try later and if the problem continue, contact us.